Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

A method, system, and apparatus of network artifact identification and
extraction are disclosed. In one embodiment, a method includes
aggregating a payload data (e.g., may be a component of the extracted
artifact) from different network packets to form an aggregated payload
data, matching the payload data with an entry of a library of known
artifacts, determining a type of the payload data based on a match with
the entry of the library of known artifacts, separating the payload data
from a header data in a network packet, and communicating the aggregated
payload data as an extracted artifact to a user. The method may include
using the extracted artifact to perform network visibility analysis of
users on packets flowing across the network. The method may validate that
the entry is accurate by performing a deeper analysis of the payload data
with the entry of the library of known artifacts.

Claims:

1. A method comprising:aggregating a payload data from different network
packets to form an matching the payload data with an entry of a library
of known artifacts;determining a type of the payload data based on a
match with the entry of the library of known artifacts;separating the
payload data from a header data in a network packet; andcommunicating the
aggregated payload data as an extracted artifact to a user.

2. The method of claim 1 further comprising:using the extracted artifact
to perform network visibility analysis of a plurality of users on packets
flowing across the network, wherein the extracted artifact is at least
one of a word processing document, a spreadsheet document, a database, an
image, a video, a multimedia file, an email, an instant message
communication, an audio file, a compressed file, an executable file, a
web page, and a presentation.

3. The method of claim 1 further comprising:validating that the entry is
accurate by performing a deeper analysis of the payload data with the
entry of the library of known artifacts;determining that the payload data
is encrypted;applying an encrypted data processing module of a network
appliance to generate a request for the encrypted data from a source on
behalf of a requestor;receiving a decryption key from a source of the
encrypted data;decrypting the encrypted data on the network appliance
using the decryption key; anddetermining the type of the encrypted data
based on the decryption.

4. The method of claim 1 further comprising:determining that the artifact
is incomplete through an examination of a file structure with a known
file specification; andcommunicating at least a portion of the incomplete
artifact to the user.

5. The method of claim 1 further comprising forming the library of known
artifacts by identifying markers found in data files stored in each
instance of a particular type of artifact.

6. The method of claim 5 wherein the payload data is a component of the
extracted artifact, and wherein the markers include at least one of start
bits of the artifact, payload length of the artifact, a set of ending
bits, and other identification bits found in each instance of the
artifact.

7. The method of claim 1 in a form of a machine-readable medium embodying
a set of instructions that, when executed by a machine, causes the
machine to perform the method of claim 1.

8. A system comprising:a packet rearrange module to reorder a network
packet and other network packets based on a sequence number of each of
the network packet and other network packets;a packet analyzer module to
separate a payload data from a header data in the network packet;an
identification module to match the payload data with an entry of a
library of known artifacts;a validation module to verify that the entry
is accurate by performing a deeper analysis of the payload data with the
entry of the library of known artifacts;a type module determine a type of
the payload data based on a match with the entry in the library of known
artifacts;a presentation module to aggregate the payload data from
different network packets to form an aggregated payload data; andan
extraction module to communicate the aggregated payload data as an
extracted artifact to a user.

9. The system of claim 8 further comprising:a network visibility module to
perform network visibility analysis of a plurality of users on packets
flowing across the network using the extracted artifact, wherein the
extracted artifact is at least one of a word processing document, a
spreadsheet document, a database, an image, a video, a multimedia file,
an email, an instant message communication, an audio file, a compressed
file, an executable file, a web page, and a presentation.

10. The system of claim 8 further comprising:a determination module to
determine that the payload data is encrypted;encrypted data processing
module to generate a request for the encrypted data from a source on
behalf of a requestor and to receive a decryption key on a network
appliance; anda decryption module to apply the decryption key to decrypt
the encrypted data on the network appliance.

11. The system of claim 8 further comprising:an incomplete management
module to determine that the artifact is incomplete, and to communicate
at least a portion of the incomplete artifact to the user.

12. The system of claim 8 further comprising a library formation module to
create the library of known artifacts by identifying markers found in
data files stored in each instance of a particular type of artifact.

13. The system of claim 8 wherein the payload data is a component of the
extracted artifact, wherein the markers include at least one of start
bits of the artifact, payload length of the artifact, a set of ending
bits, and other identification bits found in each instance of the
artifact.

14. A method comprising:forming a library of known artifacts by
identifying markers found in data files stored in each instance of a
particular type of artifact;identifying at least one marker in a packet
transmitted through a network based on a match with the
library;determining a type of a file associated with the packet based on
the at least one marker;aggregating relevant portions of the packet with
other packets associated having the at least one marker to extract the
file from the network; andusing the extracted file to perform network
visibility analysis of a plurality of users on data files flowing across
the network.

15. The method of claim 14 further comprising:communicating the extracted
file to a user after reordering the packet and the other packets based on
sequence numbers of each packet.

16. The method of claim 14 wherein the extracted file is at least one of a
word processing document, a spreadsheet document, a database, an image, a
video, a multimedia file, an email, an instant message communication, an
audio file, a compressed file, an executable file, a web page, and a
presentation.

17. The method of claim 14 further comprising:determining that the packet
is encrypted;applying an encrypted data processing module of a network
appliance to generate a request for the encrypted data from a source on
behalf of a requester;receiving a decryption key on the network
appliance;decrypting the packet on the network appliance using the
decryption key; anddetermining the type of an encrypted file based on
decrypted data.

18. The method of claim 14 further comprising:determining that the
extracted file is incomplete; andcommunicating at least a portion of the
extracted file that is incomplete to the user.

19. The method of claim 14 wherein the markers include at least one of
start bits of the artifact, payload length of the artifact, a set of
ending bits, and other identification bits found in each instance of the
artifact.

20. The method of claim 14 in a form of a machine-readable medium
embodying a set of instructions that, when executed by a machine, causes
the machine to perform the method of claim 1.

Description:

FIELD OF TECHNOLOGY

[0001]This disclosure relates generally to an enterprise method, a
technical field of software, hardware and/or networking technology, and
in one example embodiment, to a method, system and apparatus of network
artifact identification and extraction.

BACKGROUND

[0002]An entity may not allow users to transmit/receive an artifact (e.g.,
Microsoft Word® document, digital photograph, etc.) having an
unauthorized information (e.g., a trade secret, etc.) in an electronic
transmission (e.g., e-mail, instant message, etc.) to a destination in a
network that is not controlled by the entity. For example, the entity may
prohibit the transmission/reception of a file with a digital photographic
image based solely on the content of that image (e.g., an offensive
image).

[0003]It may be difficult for the entity to obtain evidence that a
particular user has transmitted/received a prohibited type of information
unless the entity has an opportunity to visually examine a content of the
artifact. The entity may employ several methods to obtain evidence that
the particular user has transmitted/received a prohibited type of
information. For example, the entity may reconfigure an electronic mail
setting of the particular user's electronic mail application to forward
all electronic mail to a supervisor employed by the entity. However, the
particular user may transmit information at a greater frequency and/or at
different times (e.g., at night) than can be monitored by the supervisor.
The methods employed by the entity may be inefficient and/or incomplete.

[0004]Furthermore, they may require considerable expenditures of
financial, network band width and/or supervisor work time to implement.

SUMMARY

[0005]A method, system, and apparatus of network artifact identification
and extraction are disclosed. In one aspect, a method includes
aggregating a payload data (e.g., may be a component of the extracted
artifact) from different network packets to form an aggregated payload
data, matching the payload data with an entry of a library of known
artifacts, determining a type of the payload data based on a match with
the entry of the library of known artifacts, separating the payload data
from a header data in a network packet, and communicating the aggregated
payload data as an extracted artifact (e.g., may be a word processing
document, a spreadsheet document, a database, an image, a video, a
multimedia file, an email, an instant message communication, an audio
file, a compressed file, an executable file, a web page, a presentation,
etc.) to a user.

[0006]The method may include using the extracted artifact to perform
network visibility analysis of users on packets flowing across the
network. The method may also include validating that the entry is
accurate by performing a deeper analysis of the payload data with the
entry of the library of known artifacts. The method may determine that
the payload data is encrypted. The method may apply an encrypted data
processing module of a network appliance to generate a request for the
encrypted data from a source on behalf of a requester. The method may
receive a decryption key from a source of the encrypted data. The method
may decrypt the encrypted data on the network appliance using the
decryption key. The method may determine the type of the encrypted data
based on the decryption.

[0007]The method may include determining that the artifact is incomplete
through an examination of a file structure with a known file
specification. The method may communicate a portion of the incomplete
artifact to the user. The method may also include forming the library of
known artifacts by identifying markers (e.g., may be start bits of the
artifact, payload length of the artifact, a set of ending bits, and/or
other identification bits found in each instance of the artifact) found
in data files stored in each instance of a particular type of artifact.

[0008]In another aspect, a system includes a packet rearrange module to
reorder a network packet and other network packets based on a sequence
number of each of the network packet and other network packets, a packet
analyzer module to separate a payload data (e.g., may be a component of
the extracted artifact) from a header data in the network packet, an
identification module to match the payload data with an entry of a
library of known artifacts, a validation module to verify that the entry
is accurate by performing a deeper analysis of the payload data with the
entry of the library of known artifacts, a type module determine a type
of the payload data based on a match with the entry in the library of
known artifacts, a presentation module to aggregate the payload data from
different network packets to form an aggregated payload data, and an
extraction module to communicate the aggregated payload data as an
extracted artifact (e.g., may be a word processing document, a
spreadsheet document, a database, an image, a video, a multimedia file,
an email, an instant message communication, an audio file, a compressed
file, an executable file, a web page, a presentation, etc.) to a user.

[0009]The system may include a network visibility module to perform
network visibility analysis users on packets flowing across the network
using the extracted artifact. The system may include a determination
module to determine that the payload data is encrypted. The method may
include encrypted data processing module to generate a request for the
encrypted data from a source on behalf of a requestor and/or to receive a
decryption key on a network appliance. The method may include a
decryption module to apply the decryption key to decrypt the encrypted
data on the network appliance.

[0010]The system may include an incomplete management module to determine
that the artifact is incomplete, and/or to communicate a portion of the
incomplete artifact to the user. The system may include a library
formation module to create the library of known artifacts by identifying
markers (e.g., may be start bits of the artifact, payload length of the
artifact, a set of ending bits, and/or other identification bits found in
each instance of the artifact) found in data files stored in each
instance of a particular type of artifact.

[0011]In yet another aspect, the method includes forming a library of
known artifacts by identifying markers (e.g., may be start bits of the
artifact, payload length of the artifact, a set of ending bits, and/or
other identification bits found in each instance of the artifact) found
in data files stored in each instance of a particular type of artifact,
identifying at least one marker in a packet transmitted through a network
based on a match with the library, determining a type of a file
associated with the packet based on the at least one marker, aggregating
relevant portions of the packet with other packets associated having the
at least one marker to extract the file from the network, and using the
extracted file (e.g., may be a word processing document, a spreadsheet
document, a database, an image, a video, a multimedia file, an email, an
instant message communication, an audio file, a compressed file, an
executable file, a web page, a presentation, etc.) to perform network
visibility analysis of users on data files flowing across the network.

[0012]The method may include communicating the extracted file to a user
after reordering the packet and/or the other packets based on sequence
numbers of each packet. The method may include determining that the
packet is encrypted. The method may apply an encrypted data processing
module of a network appliance to generate a request for the encrypted
data from a source on behalf of a requester. The method may receive a
decryption key on the network appliance. The method may decrypt the
packet on the network appliance using the decryption key. The method may
determine the type of an encrypted file based on decrypted data.

[0013]The method may also include determining that the extracted file is
incomplete. The method may communicate a portion of the extracted file
that is incomplete to the user.

[0014]The methods, systems, and apparatuses disclosed herein may be
implemented in any means for achieving various aspects, and may be
executed in a form of a machine-readable medium embodying a set of
instructions that, when executed by a machine, cause the machine to
perform any of the operations disclosed herein. Other features will be
apparent from the accompanying drawings and from the detailed description
that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

[0015]Example embodiments are illustrated by way of example and not
limitation in the figures of the accompanying drawings, in which like
references indicate similar elements and in which:

[0016]FIG. 1 is a system view of data communication in a network managed
by the network visibility module, according to one embodiment.

[0017]FIG. 2 is an exploded view of the network visibility module,
according to one embodiment.

[0018]FIG. 3 is a table view illustrating the information (e.g., start
bits, length, etc.) in a packet, according to one embodiment.

[0019]FIG. 4 is a structural view of a packet, according to one
embodiment.

[0020]FIG. 5 is a structural view of an aggregated payload data, according
to one embodiment.

[0021]FIG. 6 is a diagrammatic system view of a data processing system in
which any of the embodiments disclosed herein may be performed, according
to one embodiment.

[0022]FIG. 7A is a process flow of aggregating a payload data from
different network packets to form a aggregated payload data, according to
one embodiment.

[0023]FIG. 7B is a continuation of process flow of FIG. 7A, illustrating
additional operations, according to one embodiment.

[0024]FIG. 8A is a process flow of forming a library of known artifacts by
identifying markers found in data files stored in each instance of a
particular type of artifact, according to one embodiment.

[0025]FIG. 8B is a continuation of process flow of FIG. 8A, illustrating
additional operations, according to one embodiment.

[0026]Other features of the present embodiments will be apparent from the
accompanying drawings and from the detailed description that follows.

DETAILED DESCRIPTION

[0027]A method, apparatus, and system of network artifact identification
and extraction are disclosed. In the following description, for the
purposes of explanation, numerous specific details are set forth in order
to provide a thorough understanding of the various embodiments. It will
be evident, however to one skilled in the art that the various
embodiments may be practiced without these specific details.

[0028]In one embodiment, a method includes aggregating a payload data
(e.g., the payload data 406 of FIG. 4) (e.g., may be a component of the
extracted artifact) from different network packets to form an aggregated
payload data (e.g., the aggregated payload data 500 of FIG. 5), matching
the payload data 406 with an entry of a library of known artifacts (e.g.,
the library of known artifacts 222 of FIG. 2), determining (e.g., using
the type module 214 of FIG. 2) a type of the payload data 406 based on a
match with the entry of the library of known artifacts 222, separating
(e.g., using the packet analyzer module 202 of FIG. 2) the payload data
406 from a header data in a network packet, and communicating (e.g.,
using the extraction module 210 of FIG. 2) the aggregated payload data
500 as an extracted artifact (e.g., the artifact 504 of FIG. 4) (e.g.,
may be a word processing document, a spreadsheet document, a database, an
image, a video, a multimedia file, an email, an instant message
communication, an audio file, a compressed file, an executable file, a
web page, a presentation, etc.) to a user (e.g., may be to the client
device 102A-N of FIG. 1).

[0029]In another embodiment, a system includes a packet rearrange module
(e.g., the packet rearrange module 226 of FIG. 2) to reorder a network
packet and other network packets based on a sequence number of each of
the network packet and other network packets, a packet analyzer module
(e.g., the packet analyzer module 202 of FIG. 2) to separate a payload
data (e.g., the payload data 406 of FIG. 4) (e.g., may be a component of
the extracted artifact) from a header data in the network packet, an
identification module (e.g., the identification module 208 of FIG. 2) to
match the payload data with an entry of a library of known artifacts, a
validation module (e.g., the validation module 206 of FIG. 2) to verify
that the entry is accurate by performing a deeper analysis of the payload
data 406 with the entry of the library of known artifacts 222, a type
module (e.g., the type module 214 of FIG. 2) determine a type of the
payload data 406 based on a match with the entry in the library of known
artifacts 222, a presentation module (e.g., the presentation module 212
of FIG. 2) to aggregate the payload data 406 from different network
packets to form an aggregated payload data 500, and an extraction module
(e.g., the extraction module 210 of FIG. 2) to communicate the aggregated
payload data 500 as an extracted artifact (e.g., may be a word processing
document, a spreadsheet document, a database, an image, a video, a
multimedia file, an email, an instant message communication, an audio
file, a compressed file, an executable file, a web page, a presentation,
etc.) to a user (e.g., may be to the client device 102A-N of FIG. 1).

[0030]In yet another embodiment, the method includes forming (e.g., using
the library formation module 224 of FIG. 2) a library of known artifacts
(e.g., a library of known artifacts 222 of FIG. 2) by identifying markers
(e.g., may be start bits of the artifact, payload length of the artifact
504, a set of ending bits, and/or other identification bits found in each
instance of the artifact) found in data files stored in each instance of
a particular type of artifact 504, identifying (e.g., using the
identification module 208 of FIG. 2) marker in a packet (e.g., the packet
450 of FIG. 4) transmitted through a network (e.g., the network 104 of
FIG. 1) based on a match with the library, determining (e.g., using the
type module 214 of FIG. 2) a type of a file associated with the packet
450 based on the marker, aggregating (e.g., using the presentation module
212 of FIG. 2) relevant portions of the packet 450 with other packets
associated having the marker to extract the file from the network 104,
and using the extracted file (e.g., may be a word processing document, a
spreadsheet document, a database, an image, a video, a multimedia file,
an email, an instant message communication, an audio file, a compressed
file, an executable file, a web page, a presentation, etc.) to perform
network visibility analysis (e.g., using the network visibility module
100 of FIG. 1) of users on data files flowing across the network 104.

[0031]FIG. 1 is a system view of data communication in a network 104
managed by a network visibility module 100, according to one embodiment.
Particularly, FIG. 1 illustrates a network visibility module 100, client
device 102A-N, a network 104, and WAN/other networks 106, according to
one embodiment.

[0032]The network visibility module 100 may perform network visibility
analysis (e.g., may be a way of modeling what users communicate on the
internet in an organization) of users (e.g., may be employees) on packet
450 flowing across the network 104 using the extracted artifact.

[0034]In example embodiment, FIG. 1 illustrates the client device 102A-N
in a network 104 communicating with the other network (e.g., WAN/other
network 106) that may be managed by the network visibility module 100.

[0035]In one embodiment, the network visibility module 100 may perform
network visibility analysis of the users on packets (e.g., the packet 450
of FIG. 4) flowing across the network 104 using the extracted artifact
504.

[0037]The network visibility module 200 may perform network visibility
analysis (e.g., verify, check) of users on packets flowing across the
network using the extracted artifact. The packet analyzer module 202 may
separate the payload data 506A-N (e.g., that may contain artifact
component) from the header data (e.g., that may contain information
associated to the payload and other details) in the network packet. The
determination module 204 may determine (e.g., verify, validate) that the
payload data 506A-N is encrypted. The validation module 206 may verify
that the entry (e.g., entry of the library of known artifacts 222) is
accurate by performing a deeper analysis of the payload data 506A-N with
the entry of the library of known artifacts.

[0038]The identification module 208 may match the payload data 506A-N with
an entry of a library of known artifacts 222. The extraction module 210
may communicate (e.g., transfer) the aggregated payload data 500 as an
extracted artifact (e.g., the spreadsheet, etc.) to a user (e.g., may be
a client device 102A-N). The presentation module 212 to aggregate the
payload data 406 (e.g., which may have different artifacts components)
from different network packets to form an aggregated payload data 500.
The type module 214 may determine a type of the payload data 406 based on
a match with the entry in the library of known artifacts 222. The
decryption module 216 may apply the decryption key (e.g., a right code)
to decrypt the encrypted data on the network appliance.

[0039]The encrypted data processing module 218 may generate a request for
the encrypted data (e.g., in the payload 404) from a source on behalf of
a requestor and/or to receive a decryption key on a network appliance.
The incomplete management module 220 may determine that the artifact
(e.g., that may contain the data) is incomplete, and/or may communicate
(e.g., transmit) a portion of the incomplete artifact to the user (e.g.,
to the client device). The library of known artifacts 222 may be a
database that may have all the information about the various artifacts
that may possibly used by the client device 102A-N. The library formation
module 224 may create the library of known artifacts 222 by identifying
markers found in data files (e.g., such as spreadsheet file, audio file,
image, etc.) stored in each instance of a particular type of artifact.

[0040]The packet rearrange module 226 may reorder a network packet and
other network packets based on a sequence number (e.g., may be
chronological order) of each of the network packet and other network
packets.

[0041]In example embodiment, the network visibility module may communicate
with the packet analyzer module 202, the determination module 204, the
validation module 206, the identification module 208 and the decryption
module 216. The determination module may communicate with the validation
module 206. The packet analyzer module may communicate with the
presentation module 212. The presentation module 212 may communicate with
the extraction module 210. The extraction module may communicate with the
identification module 208. The identification module 208 may communicate
with the library formation module 224 and the type module 214. The type
module 214 may communicate with the incomplete management module 220 and
the decryption module 216. The decryption module may communicate with the
encrypted data processing module 218. The packet rearrange module 226 may
communicate with the network visibility module 200, according to one
embodiment.

[0042]In one embodiment, the payload data 406 from different network
packets may be aggregated (e.g., using the presentation module 212 of
FIG. 2) to form the aggregated payload data 500. The payload data may be
matched (e.g., using the identification module 208 of FIG. 2) with an
entry of a library of known artifacts (e.g., the library of known
artifacts 222 of FIG. 2). The type of the payload data 406 may be
determined (e.g., using the type module 214 of FIG. 2) based on a match
with the entry of the library of known artifacts 222.

[0043]The payload data 406 may be separated (e.g., using the packet
analyzer module 202 of FIG. 2) from a header data in a network packet.
The aggregated payload data 500 may be communicated (e.g., using the
extraction module 210 of FIG. 2) as an extracted artifact (e.g., the
artifact 504 of FIG. 5) to a user (e.g., may be to the client device
102A-N of FIG. 1). The extracted artifact 504 may be used to perform
network visibility analysis (e.g., using the network visibility module
200 of FIG. 2) of users on packets (e.g., the packet 450 of FIG. 4)
flowing across a network (e.g., the network 104 of FIG. 1). It may be
validated (e.g., using the validation module 206 of FIG. 2) that the
entry is accurate by performing a deeper analysis of the payload data 406
with the entry of the library of known artifacts 222.

[0044]It may be determined (e.g., using the determination module 204 of
FIG. 2) that the payload data is encrypted (e.g., may be by analyzing the
meta-data). The encrypted data processing module (e.g., the encrypted
data processing module 218 of FIG. 2) of a network appliance may be
applied to generate a request for the encrypted data from a source on
behalf of a requestor (e.g., may be the client device 102A-N). The
decryption key may be received (e.g., using the encrypted data processing
module 218 of FIG. 2) from a source of the encrypted data. The encrypted
data on the network appliance may be decrypted (e.g., using the
decryption module 216 of FIG. 2) using the decryption key.

[0045]The type of the encrypted data may be determined based on the
decryption. It may be determined (e.g., using the incomplete management
module 220 of FIG. 2) that the artifact 504 is incomplete through an
examination of a file structure with a known file specification. A
portion of the incomplete artifact may be communicated (e.g., using the
incomplete management module 220 of FIG. 2) to the user. The packet
rearrange module 226 may reorder a network packet and/or other network
packets based on a sequence number of each of the network packet and/o
other network packets. The packet analyzer module 202 may separate a
payload data (e.g., the payload data 406 of FIG. 4) from a header data in
the network packet.

[0046]The identification module 208 may match the payload data 406 with an
entry of the library of known artifacts 222. The validation module 206
may verify that the entry is accurate by performing a deeper analysis of
the payload data 406 with the entry of the library of known artifacts
222. The type module 214 may determine a type of the payload data 406
based on a match with the entry in the library of known artifacts 222.
The presentation module 212 may aggregate the payload data 406 from
different network packets to form an aggregated payload data 500. The
extraction module 210 may communicate the aggregated payload data 500 as
an extracted artifact 504 to a user.

[0047]The determination module 204 may determine that the payload data 406
is encrypted. The encrypted data processing module 218 may generate a
request for the encrypted data from a source on behalf of a requester
and/or may receive a decryption key on a network appliance. The
decryption module 216 may apply the decryption key to decrypt the
encrypted data on the network appliance. The incomplete management module
220 may determine that the artifact is incomplete, and may communicate a
portion of the incomplete artifact to the user. The library formation
module 224 may create the library of known artifacts 222 by identifying
markers found in data files stored in each instance of a particular type
of artifact 504.

[0048]The library of known artifacts 222 may be formed (e.g., using the
library formation module 224 of FIG. 2) by identifying markers found in
data files stored in each instance of a particular type of artifact 504.
The library of known artifacts 222 may be formed (e.g., using the library
formation module 224 of FIG. 2) by identifying markers found in data
files stored in each instance of a particular type of artifact 504. The
marker in a packet (e.g., the packet 450 of FIG. 4) transmitted through a
network (e.g., the network 104 of FIG. 1) may be identified (e.g., using
the identification module 208 of FIG. 2) based on a match with the
library.

[0049]A type of a file associated with the packet 450 may be determined
(e.g., using the type module 214 of FIG. 2) based on the marker. Relevant
portions of the packet 450 may be aggregated (e.g., using the
presentation module 212 of FIG. 2) with other packets associated having
the marker to extract the file from the network 104. The extracted file
may be used to perform network visibility analysis (e.g., using the
network visibility module 100 of FIG. 1) of a plurality of users on data
files flowing across the network.104.

[0050]The extracted file may be communicated (e.g., using the extraction
module 210 of FIG. 2) to a user (e.g., may be to the client device 102A-N
of FIG. 1) after reordering the packet 450 and the other packets based on
sequence numbers (e.g., may be chronologically sequenced) of each packet
450. It may be determining (e.g., using the determination module 204 of
FIG. 2) that the packet 459 is encrypted. An encrypted data processing
module (e.g., the encrypted data processing module 218 of FIG. 2) of a
network appliance may be applied to generate a request for the encrypted
data from a source on behalf of a requestor (e.g., may be the client
device 102A-N of FIG. 1). The decryption key may be received (e.g., the
encrypted data processing module 218 of FIG. 2) on the network appliance.

[0051]The packet 450 on the network 104 appliance may be decrypted (e.g.,
using the decryption module 216 of FIG. 2) using the decryption key. The
type of an encrypted file may be determined (e.g., by analyzing the
meta-data content of the header 402) based on decrypted data. It may be
determined (e.g., using the incomplete management module 220 of FIG. 2)
that the extracted file (e.g., word file, excel file, open office file,
etc.) is incomplete. A portion of the extracted file that is incomplete
may be communicated (e.g., using the incomplete management module 220 of
FIG. 2) to the user (e.g., to the client device 102A-N).

[0052]FIG. 3 is a table view illustrating the information (e.g., start
bits, length, etc.) in a packet, according to one embodiment.
Particularly, FIG. 3 illustrates an artifact field 302, start bits field
304, length field 306, end bits field 308, encrypted field 310 and other
field 312, according to one embodiment.

[0053]The artifact field 302 may illustrate the type of artifacts in the
payload data 406. The start bits field 304 may illustrate a first state
that indicates start of a sequence of data block bits. The length field
306 may illustrate the length of the payload 404. The end bits field 308
may illustrate the end bits that may mark the end of the packet and/or
preamble bit for the subsequent packet. The encrypted field 310 may
illustrate whether the payload data is encrypted or not. The other field
312 may illustrate the other information associated to the artifacts.

[0054]In example embodiment, FIG. 3 illustrates table view 350. The
artifact field 302 may illustrate "word processing document" in first
row, "spreadsheet file" in second row, "image" in third row, and "video"
in fourth row. The start bits filed 304 may illustrate "4 bits as 1011"
in first row, "3 bits as 110" in second row, "6 bits as 111011" in third
row, and "8 bits as 01011000" in fourth row. The length field 306 may
illustrate "16 bits" in the first row, "24 bits" in the second row, "32
bits" in the third row, and "64 bits" in the fourth row. The end bits
field 308 may illustrate "4 bits as 1001" in the first row, "2 bits as
11" in the second row, "6 bits as 100110" in the third row, and "4 bits
as 1010" in the fourth row. The encrypted field 318 may illustrate "yes"
in the first row, "no" in the second row, "no" in the third row, and
"yes" in the fourth row. The other field 312 may illustrate "repeats
every two intervals" in the first row, "three periods" in the second row,
"identifier bits in header" in the third row, and "sequence shifts" in
the fourth row.

[0055]FIG. 4 is a structural view of a packet 450, according to one
embodiment. Particularly, FIG. 4 illustrates a header 402, a payload 404,
and a payload data 406, according to one embodiment.

[0056]The header 402 may have instructions (e.g., length of packet, packet
number, synchronization, protocol, destination address, originating
address, meta-data, etc.) associated to the data carried by the packet
450. The payload 404 may be a part of the packet 450 that carries actual
data. The payload data 406 may contain the data (e.g., the artifact
component) described by the next header field.

[0057]In example embodiment, FIG. 4 illustrates the structure if the
packet 450 that may include the header 402, the payload 404, and the
payload data 406. The header 402 may contain all the necessary
information associated to the packet 450. The payload may be a part of
the packet 450 which may contain data (e.g., artifact, etc.) and other
information associated to the data. The payload data 406 may have the
actual artifact and information that would have been described in the
header 402.

[0058]In one embodiment, the payload data 406 may be a component of the
extracted artifact 504. The markers may include start bits of the
artifact 504, payload length of the artifact 504, a set of ending bits,
and/or other identification bits found in each instance of the artifact
504.

[0059]FIG. 5 is a structural view of an aggregated payload data, according
to one embodiment. Particularly, FIG. 5 illustrates an aggregated payload
data 500, a header 502, an artifact 504, and payload data 506A-N,
according to one embodiment.

[0060]The aggregated payload data 500 may be a collection of payload data
that may be aggregated form the network packets. The header 502 may
include information associated to the aggregated payload data 500 along
with the other data (e.g., sequence number, packet length, etc.). The
artifact 504 may be a data chunk (e.g., packets of data of an email, an
instant message communication, an audio file, a compressed file, etc.)
that may be carried by the packet that flows in the network. The payload
data 506A-N may be a collection of payload data (e.g., that may include a
word processing document, a spreadsheet document, a database, an image, a
video, a multimedia file, an email, an instant message communication, an
audio file, a compressed file, an executable file, a web page, a
presentation, etc.) that may be aggregated form the network packets.

[0061]In example embodiment, FIG. 5 illustrates the aggregated payload
data 500 that may be generated by collection of different payloads
aggregated from the network packets. The aggregated payload data 500 may
include a header 502 and the artifact 504. The header 502 may contain
information associated to the aggregated payload data 500 and the other
data (e.g., such as length of payload, content, etc.)

[0062]In one embodiment, the extracted artifact 504 may be a word
processing document, a spreadsheet document, a database, an image, a
video, a multimedia file, an email, an instant message communication, an
audio file, a compressed file, an executable file, a web page, a
presentation, etc.

[0063]FIG. 6 is a diagrammatic system view of a data processing system in
which any of the embodiments disclosed herein may be performed, according
to one embodiment. Particularly, the diagrammatic system view 600 of FIG.
6 illustrates a processor 602, a main memory 604, a static memory 606, a
bus 608, a video display 610, an alpha-numeric input device 612, a cursor
control device 614, a drive unit 616, a signal generation device 618, a
network interface device 620, a machine readable medium 622, instructions
624, and a network 626, according to one embodiment.

[0064]The diagrammatic system view 600 may indicate a personal computer
and/or the data processing system in which one or more operations
disclosed herein are performed. The processor 602 may be a
microprocessor, a state machine, an application specific integrated
circuit, a field programmable gate array, etc. (e.g., Intel®
Pentium® processor). The main memory 604 may be a dynamic random
access memory and/or a primary memory of a computer system.

[0065]The static memory 606 may be a hard drive, a flash drive, and/or
other memory information associated with the data processing system. The
bus 608 may be an interconnection between various circuits and/or
structures of the data processing system. The video display 610 may
provide graphical representation of information on the data processing
system. The alpha-numeric input device 612 may be a keypad, a keyboard
and/or any other input device of text (e.g., a special device to aid the
physically handicapped).

[0066]The cursor control device 614 may be a pointing device such as a
mouse. The drive unit 616 may be the hard drive, a storage system, and/or
other longer term storage subsystem. The signal generation device 618 may
be a bios and/or a functional operating system of the data processing
system. The network interface device 620 may be a device that performs
interface functions such as code conversion, protocol conversion and/or
buffering required for communication to and from the network 626. The
machine readable medium 622 may provide instructions on which any of the
methods disclosed herein may be performed. The instructions 624 may
provide source code and/or data code to the processor 602 to enable any
one or more operations disclosed herein.

[0067]FIG. 7A is a process flow of aggregating a payload data (e.g., the
payload data 406 of FIG. 4) from different network packets to form an
aggregated payload data (e.g., the aggregated payload data 500 of FIG.
5), according to one embodiment. In operation 702, the payload data 406
from different network packets may be aggregated (e.g., using the
presentation module 212 of FIG. 2) to form the aggregated payload data
500. In operation 704, the payload data may be matched (e.g., using the
identification module 208 of FIG. 2) with an entry of a library of known
artifacts (e.g., the library of known artifacts 222 of FIG. 2). In
operation 706, a type of the payload data 406 may be determined (e.g.,
using the type module 214 of FIG. 2) based on a match with the entry of
the library of known artifacts 222.

[0068]In operation 708, the payload data 406 may be separated (e.g., using
the packet analyzer module 202 of FIG. 2) from a header data in a network
packet. In operation 710, the aggregated payload data 500 may be
communicated (e.g., using the extraction module 210 of FIG. 2) as an
extracted artifact (e.g., the artifact 504 of FIG. 5) to a user (e.g.,
may be to the client device 102A-N of FIG. 1). In operation 712, the
extracted artifact 504 may be used to perform network visibility analysis
(e.g., using the network visibility module 200 of FIG. 2) of users on
packets (e.g., the packet 450 of FIG. 4) flowing across a network (e.g.,
the network 104 of FIG. 1).

[0069]The extracted artifact 504 may be a word processing document, a
spreadsheet document, a database, an image, a video, a multimedia file,
an email, an instant message communication, an audio file, a compressed
file, an executable file, a web page, a presentation, etc. In operation
714, it may be validated (e.g., using the validation module 206 of FIG.
2) that the entry is accurate by performing a deeper analysis of the
payload data 406 with the entry of the library of known artifacts 222.

[0070]FIG. 7B is a continuation of process flow of FIG. 7A, illustrating
additional operations, according to one embodiment. In operation 716, it
may be determined (e.g., using the determination module 204 of FIG. 2)
that the payload data is encrypted (e.g., may be by analyzing the
meta-data). In operation 718, an encrypted data processing module (e.g.,
the encrypted data processing module 218 of FIG. 2) of a network
appliance may be applied to generate a request for the encrypted data
from a source on behalf of a requestor (e.g., may be the client device
102A-N). In operation 720, a decryption key may be received (e.g., using
the encrypted data processing module 218 of FIG. 2) from a source of the
encrypted data. In operation 722, the encrypted data on the network
appliance may be decrypted (e.g., using the decryption module 216 of FIG.
2) using the decryption key. In operation 724, the type of the encrypted
data may be determined based on the decryption.

[0071]In operation 726, it may be determined (e.g., using the incomplete
management module 220 of FIG. 2) that the artifact 504 is incomplete
through an examination of a file structure with a known file
specification. In operation 728, a portion of the incomplete artifact may
be communicated (e.g., using the incomplete management module 220 of FIG.
2) to the user. In operation 730, the library of known artifacts 222 may
be formed (e.g., using the library formation module 224 of FIG. 2) by
identifying markers found in data files stored in each instance of a
particular type of artifact 504.

[0072]The payload data 406 may be a component of the extracted artifact
504. The markers may include start bits of the artifact 504, payload
length of the artifact 504, a set of ending bits, and/or other
identification bits found in each instance of the artifact 504.

[0073]FIG. 8 is a process flow of forming a library of known artifacts
(e.g., the library of known artifacts 222 of FIG. 2) by identifying
markers found in data files stored in each instance of a particular type
of artifact, according to one embodiment. In operation 802, the library
of known artifacts 222 may be formed (e.g., using the library formation
module 224 of FIG. 2) by identifying markers found in data files stored
in each instance of a particular type of artifact 504. In operation 804,
marker in a packet (e.g., the packet 450 of FIG. 4) transmitted through a
network (e.g., the network 104 of FIG. 1) may be identified (e.g., using
the identification module 208 of FIG. 2) based on a match with the
library.

[0074]In operation 806, a type of a file associated with the packet 450
may be determined (e.g., using the type module 214 of FIG. 2) based on
the marker. In operation 808, relevant portions of the packet 450 may be
aggregated (e.g., using the presentation module 212 of FIG. 2) with other
packets associated having the marker to extract the file from the network
104. In operation 810, the extracted file may be used to perform network
visibility analysis (e.g., using the network visibility module 100 of
FIG. 1) of a plurality of users on data files flowing across the
network.104.

[0075]FIG. 8B is a continuation of process flow of FIG. 8A, illustrating
additional operations, according to one embodiment. In operation 812, the
extracted file may be communicated (e.g., using the extraction module 210
of FIG. 2) to a user (e.g., may be to the client device 102A-N of FIG. 1)
after reordering the packet 450 and the other packets based on sequence
numbers (e.g., may be chronologically sequenced) of each packet 450. The
extracted file may be a word processing document, a spreadsheet document,
a database, an image, a video, a multimedia file, an email, an instant
message communication, an audio file, a compressed file, an executable
file, a web page, a presentation, etc.

[0076]In operation 814, it may be determining (e.g., using the
determination module 204 of FIG. 2) that the packet 459 is encrypted. In
operation 816, an encrypted data processing module (e.g., the encrypted
data processing module 218 of FIG. 2) of a network appliance may be
applied to generate a request for the encrypted data from a source on
behalf of a requester (e.g., may be the client device 102A-N of FIG. 1).
In operation 818, a decryption key may be received (e.g., the encrypted
data processing module 218 of FIG. 2) on the network appliance. In
operation 820, the packet 450 on the network 104 appliance may be
decrypted (e.g., using the decryption module 216 of FIG. 2) using the
decryption key.

[0077]In operation 822, the type of an encrypted file may be determined
(e.g., by analyzing the meta-data content of the header 402) based on
decrypted data. In operation 824, it may be determined (e.g., using the
incomplete management module 220 of FIG. 2) that the extracted file
(e.g., word file, excel file, open office file, etc.) is incomplete. In
operation 826, a portion of the extracted file that is incomplete may be
communicated (e.g., using the incomplete management module 220 of FIG. 2)
to the user (e.g., to the client device 102A-N). The markers may include
start bits of the artifact, payload length of the artifact 504, a set of
ending bits, and/or other identification bits found in each instance of
the artifact 504.

[0078]Although the present embodiments have been described with reference
to specific example embodiments, it will be evident that various
modifications and changes may be made to these embodiments without
departing from the broader spirit and scope of the various embodiments.
For example, the various devices, modules, analyzers, generators, etc.
described herein may be enabled and operated using hardware circuitry
(e.g., CMOS based logic circuitry), firmware, software and/or any
combination of hardware, firmware, and/or software (e.g., embodied in a
machine readable medium). For example, the various electrical structure
and methods may be embodied using transistors, logic gates, and
electrical circuits (e.g., application specific integrated (ASIC)
circuitry and/or in Digital Signal Processor (DSP) circuitry).

[0080]In addition, it will be appreciated that the various operations,
processes, and methods disclosed herein may be embodied in a
machine-readable medium and/or a machine accessible medium compatible
with a data processing system (e.g., a computer system), and may be
performed in any order (e.g., including using means for achieving the
various operations). Accordingly, the specification and drawings are to
be regarded in an illustrative rather than a restrictive sense.

Patent applications by Matthew Scott Wood, Salt Lake City, UT US

Patent applications by Paal Tveit, Salt Lake City, UT US

Patent applications in class Switching a message which includes an address header

Patent applications in all subclasses Switching a message which includes an address header